The current authentication setting is included in the menu title. For example, if basic authentication is configured as it is by default, the menu option is Admin UI – Basic.

  1. Click Settings and then go to Admin Authentication > UI Session Properties.
  2. In the Cookie Type list, select a type of token to create.
    • Encrypted JWT (default): An encrypted JSON Web Token (JWT) uses authenticated encryption to simultaneously provide confidentiality, integrity, and authenticity of the PingAccess token.
    • Signed JWT: A signed JWT uses asymmetric cryptography with a private-public key pairing to verify the signed message and confirm that it wasn't modified during transit.

    Changing this setting could affect existing ongoing sessions, forcing the user to reauthenticate to access protected resources.

  3. In the Audience field, enter a short, unique identifier between 1 - 32 characters to define the audience to which the PingAccess token applies.

    The default value is PingAccessUI.

    Requests made to a target application that’s associated with this web session must have a PingAccess token that matches the configured audience value. Otherwise, PingAccess redirects to the OIDC provider.


    Changing this setting can affect existing ongoing sessions, forcing the user to reauthenticate to access protected resources.

  4. In the Idle Timeout field, enter the amount of time, in minutes, that the PingAccess token remains active if PingAccess doesn't detect any user activity.

    The default value is 60 minutes. If an idle timeout occurs, PingAccess automatically terminates the associated session.


    If the user has a valid existing PingFederate session when an idle timeout occurs in an associated PingAccess session, the PingAccess session might re-establish itself without prompting the user to sign on again.

  5. In the Max Timeout field, enter a maximum amount of time, in minutes, that the PingAccess token remains active.

    The default value is 240 minutes. When the PingAccess token expires, the associated user must reauthenticate. This protects against unauthorized resource use by ensuring that sessions end by the specified time and require the associated user to reauthenticate to continue.


    If PingFederate is the token provider, this value must be smaller than the PingFederate access token lifetime defined in the PingFederate access token management instance. Learn more in Configuring Reference-Token Management.

  6. In the Expiration Warning field, enter the amount of time, in minutes, before the session expires that PingAccess warns the user about the upcoming session expiration.

    The default value is 1 minute.

  7. In the Session Poll Interval field, enter the amount of time, in seconds, that PingAccess waits between user info poll requests for the admin console.

    The default value is 10 seconds.

  8. Select Partitioned Cookie to add the Partitioned attribute to the PingAccess admin console web session cookie.

    This ensures that cross-site cookies will continue to be readable within the same context that they're created in. Learn more in PingAccess 8.1 (June 2024).

    This checkbox is cleared by default.


    Use the Partitioned Cookie checkbox to override the value of the pa.default.session.cookie.attributes.partitioned property in the file for the admin web session without needing to apply changes to all of the nodes in a PingAccess cluster and restart them.

  9. Click Save.